Business Email Compromise StatisticsCrunching the Numbers on the Threat Posed by BEC Attacks
Gauging the Financial Impact of Business Email Compromise
Business email compromise isn’t a niche threat affecting careless organizations. It’s a multi-billion dollar epidemic hitting businesses of every size, across every industry.
While the tactics may seem straightforward, the financial devastation is anything but. As we’ll explore in this chapter, the numbers behind business email compromise paint a sobering picture.
Understanding the scope of BEC losses and how they ripple across the payments ecosystem helps merchants grasp why this threat demands immediate attention and ongoing vigilance.
Business Email Compromise
The FBI calls business email compromise “the $26 billion dollar scam.” How is that possible? This article will take a close look at BEC scams to explain what they are, why they’re such an expensive problem, and also how you and your employees might be targeted.
The Market-Wide Financial Toll of BEC Attacks
Business email compromise has evolved into one of the costliest cybercrimes in existence. According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams have resulted in more than $55.5 billion in losses globally over the past decade. That’s more than the GDP of many small nations... all vanished through carefully orchestrated email schemes.
The trajectory shows no signs of slowing. IC3 data shows that, in 2024 alone, Americans lost $16.6 billion to cyber fraud and internet crimes; a 33% increase from the previous year. Of that total, BEC accounted for approximately $2.9 billion, making it the second-costliest category of cybercrime after investment fraud. And, between 2022 and 2024, BEC losses totaled nearly $8.5 billion.
Perhaps even more alarming than the aggregate losses is the trend in average loss per incident. FBI data shows that the average loss per BEC incident now stands at $137,000 That’s up from $74,723 in 2019; an 83% increase. This means fewer businesses are being targeted, but those who fall victim are losing significantly more money per attack.
of businesses experienced a BEC attack in 2024.
Source: Trend Micro
Rate at which BEC attacks increased in 2025.
Source: Proofpoint
of organizations experienced BEC in 2024.
Source: Association of Finance Professionals
of BEC attacks begin with phishing emails.
Source: Verizon
of financial losses from BEC are unrecoverable.
Source: IBM Security
The success rate for freezing fraudulent BEC transfers when reported within 24 hours.
Source: FBI
How BEC Impacts Merchants
BEC represents a particularly acute threat because it bypasses traditional fraud controls entirely and exploits trusted internal processes. A single compromised email thread can result in six-figure losses that never touch your payment gateway or show up in your fraud analytics until it’s too late.
The direct financial impact is immediate and brutal. When a merchant's finance team wires payment to a fraudster-controlled account instead of a legitimate vendor, that money is typically gone within hours.
Merchants face cascading operational consequences beyond the direct theft. Vendor relationships suffer when legitimate suppliers don’t receive payment. Credit lines get frozen as banks investigate the fraud. Insurance premiums spike, if cyber insurance even covers social engineering attacks (many policies exclude or limit it). The investigation, legal, and remediation costs add tens of thousands of dollars on top of the stolen funds, and that's before you even consider the productivity drain as staff spend weeks reconstructing what happened and implementing new controls.
For small and mid-sized businesses, which account for 28% of BEC victims, a single successful attack can threaten the entire business’s viability.
How BEC Impacts Financial Institutions
Banks and payment processors occupy an uncomfortable position in BEC attacks, as they’re the ones that facilitate the fraudulent transfers.
At least one federal court has held a receiving financial institution liable for BEC losses when it failed to act on anti-money laundering alerts. This precedent could dramatically expand bank liability for BEC-related losses. But, financial institutions face significant operational burdens from BEC attacks, even without direct liability.
When victims report fraud, banks must immediately attempt fund recovery—contacting receiving institutions, filing recalls, and coordinating with law enforcement. The success rate depends entirely on timing; after 72 hours, funds have typically been dispersed through multiple accounts and jurisdictions, making recovery virtually impossible by that point. Banks may handle dozens or hundreds of BEC reports monthly, each requiring urgent investigation and documentation.
Banks in Hong Kong and China were the primary international destinations for fraudulent funds in 2022, followed by the United Kingdom, Mexico, and Singapore. Receiving institutions face regulatory scrutiny when accounts under their control receive BEC transfers, potentially triggering suspicious activity reports (SARs) and enhanced due diligence requirements. Some institutions have faced enforcement actions for inadequate anti-money laundering controls that allowed BEC proceeds to flow through their systems.
Financial institutions also bear the cost of enhanced security measures and customer education. Many banks have implemented additional verification requirements for large wire transfers, multi-channel authentication for payment changes, and callback procedures for unusual requests. These controls add friction to legitimate transactions, but they’re necessary to combat the threat.
